diff options
author | netblue30 <netblue30@yahoo.com> | 2017-01-04 18:13:45 -0500 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2017-01-04 18:13:45 -0500 |
commit | e74fdab5d2125ce8f058c1630ce7cce19cbdac16 (patch) | |
tree | 9a293ccb85ee28e732f27ed72b0023178d2bdddf /src/firejail/pulseaudio.c | |
parent | Merge pull request #1021 from KOLANICH/fix_private-bin (diff) | |
download | firejail-e74fdab5d2125ce8f058c1630ce7cce19cbdac16.tar.gz firejail-e74fdab5d2125ce8f058c1630ce7cce19cbdac16.tar.zst firejail-e74fdab5d2125ce8f058c1630ce7cce19cbdac16.zip |
security fixes
Diffstat (limited to 'src/firejail/pulseaudio.c')
-rw-r--r-- | src/firejail/pulseaudio.c | 45 |
1 files changed, 36 insertions, 9 deletions
diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c index b3a22bad9..14a7f03dd 100644 --- a/src/firejail/pulseaudio.c +++ b/src/firejail/pulseaudio.c | |||
@@ -127,11 +127,25 @@ void pulseaudio_init(void) { | |||
127 | if (asprintf(&dir1, "%s/.config", cfg.homedir) == -1) | 127 | if (asprintf(&dir1, "%s/.config", cfg.homedir) == -1) |
128 | errExit("asprintf"); | 128 | errExit("asprintf"); |
129 | if (stat(dir1, &s) == -1) { | 129 | if (stat(dir1, &s) == -1) { |
130 | int rv = mkdir(dir1, 0755); | 130 | pid_t child = fork(); |
131 | if (rv == 0) { | 131 | if (child < 0) |
132 | if (set_perms(dir1, getuid(), getgid(), 0755)) | 132 | errExit("fork"); |
133 | {;} // do nothing | 133 | if (child == 0) { |
134 | // drop privileges | ||
135 | drop_privs(0); | ||
136 | |||
137 | int rv = mkdir(dir1, 0755); | ||
138 | if (rv == 0) { | ||
139 | if (set_perms(dir1, getuid(), getgid(), 0755)) | ||
140 | {;} // do nothing | ||
141 | } | ||
142 | #ifdef HAVE_GCOV | ||
143 | __gcov_flush(); | ||
144 | #endif | ||
145 | _exit(0); | ||
134 | } | 146 | } |
147 | // wait for the child to finish | ||
148 | waitpid(child, NULL, 0); | ||
135 | } | 149 | } |
136 | else { | 150 | else { |
137 | // make sure the directory is owned by the user | 151 | // make sure the directory is owned by the user |
@@ -145,12 +159,25 @@ void pulseaudio_init(void) { | |||
145 | if (asprintf(&dir1, "%s/.config/pulse", cfg.homedir) == -1) | 159 | if (asprintf(&dir1, "%s/.config/pulse", cfg.homedir) == -1) |
146 | errExit("asprintf"); | 160 | errExit("asprintf"); |
147 | if (stat(dir1, &s) == -1) { | 161 | if (stat(dir1, &s) == -1) { |
148 | /* coverity[toctou] */ | 162 | pid_t child = fork(); |
149 | int rv = mkdir(dir1, 0700); | 163 | if (child < 0) |
150 | if (rv == 0) { | 164 | errExit("fork"); |
151 | if (set_perms(dir1, getuid(), getgid(), 0700)) | 165 | if (child == 0) { |
152 | {;} // do nothing | 166 | // drop privileges |
167 | drop_privs(0); | ||
168 | |||
169 | int rv = mkdir(dir1, 0700); | ||
170 | if (rv == 0) { | ||
171 | if (set_perms(dir1, getuid(), getgid(), 0700)) | ||
172 | {;} // do nothing | ||
173 | } | ||
174 | #ifdef HAVE_GCOV | ||
175 | __gcov_flush(); | ||
176 | #endif | ||
177 | _exit(0); | ||
153 | } | 178 | } |
179 | // wait for the child to finish | ||
180 | waitpid(child, NULL, 0); | ||
154 | } | 181 | } |
155 | else { | 182 | else { |
156 | // make sure the directory is owned by the user | 183 | // make sure the directory is owned by the user |